ISACA Kolkata Newsletter march 2010


Published on

Case Story

Published in: Education, Sports, Travel
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ISACA Kolkata Newsletter march 2010

  1. 1. March 2010, Volume 12 Contents 3 From the Desk of the President 4 2009-10 Member Team 5 Blackmailing - “Social Engineering” 7 Password–Its strength and susceptibility of being cracked 13 News & Update from ISACA USA Invitation to write articles Members, academicians and others are requested to send their original articles / jokes / puzzles for inclusion in the newsletter to Rajat Boobna - News Letters Editor at Disclaimer: Disclaimer ISACA Kolkata Chapter does not warrant or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information or process disclosed herein, including all the articles that have been incorporated from various sources wherein the copyright of the documents might be in position with the owner himself. It should neither be regarded as comprehensive nor sufficient for making decisions, nor should it be used in place of professional advice ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 2
  2. 2. March 2010, Volume 12 From the desk of the President Dear Professional Colleague, It is indeed a pleasure to communicate with esteemed members of the profession. We held our Annual Conference on 6th of February at Hotel Senator where eminent speakers from the industry deliberated on our theme ‘Security without Borders’. The function was a grand success and appreciated by one and all. I take this opportunity to thank everyone who directly or indirectly worked hard to make the occasion successful. The Seminar generated a lot of positive interest in the industry. ISACA, Kolkata Chapter is presenting the March 2010 issue of our e-newsletter. We are proud to say that the newsletter has generated a lot of interest and people are looking forward to its publication. In this connection, may I request all of you to kindly submit articles, experiences, quiz , knowledge etc on the area of interest to professional colleagues so that the newsletter becomes more coveted. I take this opportunity to thank Sri Rajat Boobna and his team for undertaking the task voluntarily and continuously striving to improve the quality of the newsletter. We invite suggestions from you all for further development of the Chapter . We are approaching the end of the financial year and everybody will become professionally busy. I wish you all success in your endeavors. Best Regards, Aveek Gupta, CISA Dated: 19.03.2010 President, ISACA, Kolkata Chapter ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 3
  3. 3. March 2010, Volume 12 2009-2010 Member Team Aveek Gupta Subrata Roy President Membership Dir. 9830530045 9831004140 Kaushik Nath Krishna Chanani Vice President Joint Secretary 9830288882 Pankaj Kakarania Vinod Agarwal Program Chair Secretary 9831447714 9748737963, Suvendu Chander Immediate Past-President Rajat Boobna 9830086986 Treasurer & News letter editor 9831195559 Members Syamal Nayak CISA Coordinator Piyali Basu 9831031010 Prashant Verma Dibyendu Basu CISM Coordinator Vivek Gupta 9831004140 ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 4
  4. 4. March 2010, Volume 12 Blackmailing- “SOCIAL ENGINEERING” By Vicky Shah. “Human Behavior is the Biggest Risk in Security” State: Maharashtra City: Mumbai Sections of Law: 292, 389, 420, 465, 467, 468, 469, 471, 474 IPC; r/w 67 of IT Act 2000 Internet is anonymous. It is believed that it exchanges that had taken place earlier allows users to hide themselves and play between the victim and various ‘girls’. In safe. Imagine a situation where you are addition, the accused led the victim to lured to someone online. You need to be believe that one of the ‘girl’ who used to sure of who the person is on the other side; chat with him committed suicide and the is he/she what he/she claims to be? victim was responsible for it. The accused also sent fake copies of the letters from CBI, This case story is about an accused who High Court of the Metro where the ‘girl’ was posed to be a young girl living in one of the living, New Your Police & Some University, metros in India. The accused impressed a etc… NRI working in Middle East to enter into an email correspondence. The accused The victim lived in constant fear of being introduced many female characters and arrested in connection with the suicide over used various email ids to chat and a year and half. He was afraid and nervous. correspond with the victim. The victim He paid the accused a sum of INR 1.25 believed that he was actually corresponding Crores presumably to bribe the concerned with different girls. They met on one of the officers and officials that were supposedly popular online chat group. investigation the suicide and to compensate the dead girl’s family for the loss of her Influencing the victim and winning his income. The accused created fear in victims confidence the accused asked him for mind such that he was constantly and money and gifts. The victim complied with continuously under the threat of being the requests in the hope of receiving arrested by the police. physical favors from the ‘girls’ he was Due to the pressure and stress experienced introduced with and was chatting from over by the victim, he himself contemplated past few months. However, after a period of suicide. time, when things were not materialising and the victim could not foresee the favours Important Note: he stopped online correspondences. Had the victim been alert and controlled his emotions of lust at first instance of Due to this the accused started blackmailing email exchange he would have avoided the complainant by referring to the email the chaotic situation and restrained ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 5
  5. 5. March 2010, Volume 12 himself of being an online victim that investigation was thorough and held him under such an agony. professional. Investigation Approach: Learning’s: Frustrated and helpless the victim came 1. Avoid being over friendly with over to India and surrendered himself to someone online without knowing Law Enforcement Authorities. He handed him/her personally over all the email correspondence to the 2. Avoid getting into financial officers that he had. There was no email or transaction with unknown or clue that could be traced to the Metro where anonymous person online the girl who committed suicide lived. 3. Keep trail of all possible email However, there were few interesting emails communication that took the investigating officers to the 4. Keep trail of bank statements and corporate office of a large cement company transaction details and lead them to a residence address in 5. Control emotions and do not one of the Metro other than the one where anticipate any favors - intangible the girl died. Officers conducted a raid at or tangible both the places. Disclaimer: In the raid one computer, two laptops, This story is for educational and learning seven mobile phones and a scanner were purpose. You can use the information seized. The seized equipment that was provided here with proper credits. I have recovered was sent to the office of the tried not to hide or miss any facts or forensic examiner, who found all the information as far as possible. Important evidences of e-mails, chatting details, etc… Note and Learning’s provided above in in the laptops and the computer. the case story are my personal views about the incident which I feel should be Also, during the investigation, property shared. Any errors, omissions, worth INR 9 Lakhs was seized, along with misstatements, and misunderstandings cash worth INR 3 Lakhs. The total flow of set forth in the story are sincerely the extorted money was traced from the apologized. Relying on the above bank in Middle East where the victim was contents will be sole responsibility of the staying to the account of the accused users. Inspired from Compilation of person in India. Cases book by KPMG and NASSCOM. The case is charge sheeted and matter is Please feel free to contact the author on subjudice. The IO of this case won the first for any runner up position for the India Cyber Cop clarification if required. The author Award 2005 (Initiative of Mumbai Police and sincerely appreciates your time in NASSCOM). providing your views, criticisms, suggestions for improvements and frank This case is a classic example where social feedback. engineering means are used in playing with human emotions and psychology. The “Human Behaviour is the Biggest Risk in officer’s response was swift and the case Security – Vicky Shah” ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 6
  6. 6. March 2010, Volume 12 Password-Its Strength and susceptibility of being cracked By Gautam Basu, CISA,OCP,MCP. What is a password ? dumpster diving and software vulnerabilities. Password is a form of authentication where a string of characters entered is compared Password policy. to a stored value associated with the specific user ID. A password policy may be used as a guide to choosing satisfactory passwords. They are Password Strength. usually intended to: Password strength is a measure of the effectiveness of a password in resisting • ensure the passwords are suited to the guessing and brute-force attacks. Usually it target population estimates how many trials an attacker who • advise/recommend users regarding the does not have direct access to the handling of their passwords password would need, on an average, to • recommend a requirement to change correctly guess it. The strength of a any password which has been lost or password is a function of length, complexity, compromised (password change policy), and randomness. and perhaps that no password be used Using strong passwords lowers overall risk longer than a limited time (password of a security breach, but strong passwords expiration policy) do not replace the need for other effective • some policies prescribe the pattern of security controls. The effectiveness of a characters which passwords must password of a given strength is strongly contain determined by the design and implementation of the authentication system For example, password expiration is often software, particularly (i) how frequently covered by password policies. Password password guesses can be tested by an expiration serves two purposes: attacker and (ii) how securely information on user passwords is stored and transmitted. • if the time to crack a password is However, risks are also posed by several estimated to be , let us assume, 15 means of breaching computer security days, password expiration time fewer which are unrelated to password strength. than 15 days may help ensure Such means include wiretapping, phishing, insufficient time for an attacker. keystroke logging, social engineering, ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 7
  7. 7. March 2010, Volume 12 • if a password has been hard to remember in practice. The imposition of compromised, requiring it to be a requirement for such passwords in a changed regularly may limit the password policy may encourage users to write access time for the attacker them down, store them in PDAs or cellphones, or share them with others as a safeguard Some arguments are there in air against against memory failure. These practices password expiration. It is believed by a increase security risks. Some people suggest section that recognising the reality while using multiple complex passwords. • asking users to frequently change Security expert Bruce Schneier recommends passwords encourages simple, writing down complex passwords: weak, passwords. • if one has a truly strong password, Simply, people can no longer remember there is little point in changing it, passwords good enough to reliably defend since the existing password is against dictionary attacks, and are much already strong. Changing passwords more secure if they choose a password too which are already strong merely complicated to remember and then write it introduce risk that the new password down. We're all good at securing small pieces may be less strong. However, since of paper. I recommend that people write any compromised password is weak, their passwords down on a small piece of the possibility of compromise must paper, and keep it with their other valuable be considered in estimating small pieces of paper: in their wallet.—Bruce password strength. Schneier 2005 Differences in opinions and controversies The following measures may increase are there regarding what should and/or acceptance of strong password requirements, if should not be included in the password carefully used: policy. However a clearly stated password policy and proper implementation as per the • a training program. Also, updated guidelines helps strengthening the system training for those who fail to follow the framework. password policy (lost passwords, passwords of inadequate strength etc. ). Handling passwords • reward strong password users by reducing the rate, or eliminating Among the hardest passwords to crack are altogether, the need for password long ( the longer the better), high entropy changes (password expiration). The character strings(Information entropy is the strength of user-chosen passwords can same as randomness. A string of random be estimated by automatic programs letters and numbers along the lines of which inspect and evaluate proposed "5f78HJ2Z2Xp4V7Vb6" can be said to have passwords, when setting or changing a high information entropy, in other words password. large amounts of entropy, while “Liza of • a thorough account closure process for Lambeth” can be said to have low departing users and/or a process to information entropy.). They resist brute display to each user the last login date force attacks (i.e., many characters) and and time with the intention that the user guessing attacks (i.e., high entropy). may notice unauthorized access, However, such passwords are often also suggesting a compromised password ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 8
  8. 8. March 2010, Volume 12 • allow users to reset their passwords Guessing via an automated system. However, Passwords can sometimes be guessed by some such systems are themselves humans with knowledge of the user's personal insecure; for instance, weak (or easily information. Examples of guessable passwords guessed, or insufficiently frequently include: changed) password reset keys bypass the advantages of a strong password • blank (none) system. • the words "password", "passcode", "admin", name of the organization and their derivatives What is Password Cracking? • a row of letters from the qwerty Password cracking is the process of keyboard—(qwerty itself, asdfg, or recovering password from data that has qwertyuiop) been stored in or transmitted by a computer • the user's name or login name system. A common approach is to • the name of their significant other , a repeatedly try guesses for the password. friend, relative or pet The purpose of password cracking might be • their birthplace or date of birth, or a friend's or a relative's birthplace or date (i) to help a user recover a of birth. forgotten password (though • their automobile license plate number, installing an entirely new or a friend's, or a relative's password is less of a security • their office telephone number, residence risk, but involves system telphone number or most commonly, administration privileges), their mobile number. (ii) to gain unauthorized access to • Their office or residence number or any a system, part of address (iii) a preventive measure by • a name of a celebrity they like system administrators to check • a simple modification of one of the for easily crackable preceding, such as suffixing a digit, passwords. particularly 1 or a , or reversing the order of the letters. Password cracking may be utilized to gain • a swear word access to digital evidence for which a court has allowed access but the particular file's Personal data about individuals are now access is restricted. To gain unauthorized available from various sources, many on-line, access to a system, social engineering is and can often be obtained by someone using more lethal than merely guessing. Also social engineering techniques, such as posing Social Engineering involves lower cost in as an opinion surveyor or a security control comparision with other techniques which checker. Attackers who know the user may demand investment in hardwares and have information as well. For example, if a user softwares. chooses the password "CalUniv2002" because he graduated from University of Calcutta in One of the most common questions is how 2002, an associate of that person having a to go about cracking a password. The only malafide intention might be able to guess the way to really implement effective security is password. to understand how the hackers exploit security weaknesses. ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 9
  9. 9. March 2010, Volume 12 Guessing is particularly effective with has claimed that he was able to get into the systems that employ self-service password military's networks simply by using a Perl script reset if anybody is smart enough to guess that searched for blank passwords. His report answers to the security questions. suggests that there were computers on these Dictionary attacks. networks with no passwords at all! A dictionary based password cracker I think we need to look into our behaviour software contains a database filled with pattern and day to day practices we resort to. words from the dictionary, common names Cracking programs exist which accept personal and often catch phrases from popular information about the user being attacked and movies. In order to have a secure generate common variations for passwords password, a person needs to mix random suggested by that information. numbers, letters and symbols. Such an Brute force attack. action makes the password immune to dictionary-based cracks because random A brute-force cracker is used to crack character strings reduce the possibility of passwords consisting of random character finding them in the cracking utility's strings. Brute force works by trying every dictionary. possible combination of numbers, letters and symbols until the password is revealed. Users often choose weak passwords. Examples of insecure choices include the A process of trying every possible password is above list (in guessing section), plus single known as a brute force attack. Theoretically, a words found in dictionaries, given and family brute force attack will always be successful names, any too short password (usually since the rules for acceptable passwords must thought to be 6 characters or less), or any be publicly known. But as the length of the password meeting a too restrictive and password increases, so does the number of hence predictable pattern (eg, alternating possible passwords. This method is unlikely to vowels and consonants). Repeated be practical unless the password is relatively research has demonstrated that a good small. However, techniques using parallel percentage of user-chosen passwords are processing can reduce the time to find the readily guessable by sophisticated cracking password in proportion to the number of programs armed with dictionaries and, computer devices (CPUs) in use. This depends perhaps, the user's personal information. heavily on whether the prospective attacker has access to the hash of the password, in which Some users neglect to change the default case the attack is called an offline attack (it can password that came with their computer be done without connection to the protected system account. Some administrators resource), or not, in which case it is called an neglect to change default account online attack. Offline attack is generally much passwords provided by the operating easier, because testing a password is reduced system vendor or hardware supplier. If to a quickly calculated mathematical these are not changed at system computation (i.e., calculating the hash of the configuration time, anyone familiar with password to be tried and comparing it to the such systems will have 'cracked' an hash of the real password). In an online attack important password. Such service accounts the attacker has to actually try to authenticate often have higher access privileges than himself with all the possible passwords, where that of a normal user account. arbitrary rules and delays can be imposed by Gary McKinnon, accused of perpetrating the the system and the attempts can be logged. "biggest military computer hack of all time", ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 10
  10. 10. March 2010, Volume 12 A common password length password for more than one account." recommendation is eight or more randomly However, an ordinary computer user may have chosen characters combining letters, dozens of password-protected accounts. Users numbers, and special characters with multiple accounts (and passwords) often (punctuation, etc). This recommendation give up and use the same password for every makes sense for systems using stronger account. When varied password complexity password hashing mechanisms such as requirements prevent use of the same ‘md5-crypt’ and the ‘Blowfish-based crypt’, (memorable) scheme for producing high but is inappropriate for many systems which strength passwords, overly simplified may store legacy LAN Manager hash which passwords will often be created to satisfy are prone to brute force attacks. Systems irritating and conflicting password requirements. which limit passwords to numeric characters “……I may have 15 different passwords. If I am only, or upper case only, or, generally, not allowed to write any of them down, guess which exclude possible password character what I am going to do? I am going to use the choices also make brute force attacks same password on every one of them…..”. easier. Using longer passwords in these cases (if possible) can compensate for the If passwords are written down, they should limited allowable character set. Of course, never be kept in obvious places such as even with an adequate range of character address books, under drawers or keyboards or choice, users who ignore that range (e.g., behind pictures. Perhaps the worst, but all too using only upper case alphabetic common location is a sticky note on the characters, or digits alone) make brute force computer monitor. Better locations are a safe attacks against their accounts much easier. deposit box or a locked file approved for information of sensitivity comparable to that Generic brute-force search techniques are protected by the password; most locks on office often successful, but smart brute-force file cabinets are far from adequate. Software is techniques, which exploit knowledge about available for popular hand-held computers that how people tend to choose passwords, can store passwords for numerous accounts in pose an even greater threat. encrypted form. Another approach is to use a Success for offline attacks thus depends single password for low-security accounts and partly on an attacker's ingenuity and select separate, strong passwords for a smaller resources (e.g., available time, computing number of high-value applications such as power, etc.), the latter of which will increase online banking. as computers get faster. Most commonly The benefits of precomputation and used hashes can be implemented using memorization can be nullified by randomizing specialized hardware, allowing faster the hashing process. This is known as salting. attacks. Large numbers of computers can When the user sets a password, a short, be harnessed in parallel, each trying a random string called the salt is suffixed to the separate portion of the search space. password before encrypting it; the salt is stored Unused overnight and weekend time on along with the encrypted password so that it office computers are sometimes used for can be used during verification. Since the salt is this purpose. usually different for each user, the attacker can Prevention against cracking by no longer construct tables with a single unwanted people. encrypted version of each candidate password. Computer users are generally advised to Early Unix systems used a 12-bit salt. Attackers "never write down a password anywhere, no could still build tables with common passwords matter what" and "never use the same encrypted with all 4096 possible 12-bit salts. ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 11
  11. 11. March 2010, Volume 12 However, if the salt is long enough, there A security token (or sometimes a hardware are too many possibilities and the attacker token, hard token, authentication token, USB must repeat the encryption of every guess token, cryptographic token) may be a physical for each user. Modern methods such as device that an authorized user of computer ‘md5-crypt’ and ‘bcrypt’ use salts of 48 and services is given for authentication. The term 128 bits respectively. may also refer to software tokens. The best method of preventing password Security tokens are used to prove one's identity cracking is to ensure that attackers cannot electronically (as in the case of a customer get access even to the encrypted password. trying to access their bank account). The token For example, on the Unix operating system, is used in addition to or in place of a password encrypted passwords were originally stored to prove that the customer is who they claim to in a publicly accessible file /etc/passwd. On be. The token acts like an electronic key to modern Unix (and similar) systems, on the access something. other hand, they are stored in the file Hardware tokens are typically small enough to /etc/shadow, which is accessible only to be carried in a pocket or purse and often are programs running with enhanced privileges designed to attach to the user's keychain. Some (ie, 'system' privileges). This makes it may store cryptographic keys, such as a digital harder for a malicious user to obtain the signature, or biometric data, such as a encrypted passwords in the first instance. fingerprint. Some designs feature tamper Unfortunately, many common network resistant packaging, while others may include protocols transmit passwords in cleartext or small keypads to allow entry of a PIN or a use weak challenge/response schemes. simple button to start a generating routine with Modern Unix systems have replaced some display capability to show a generated traditional DES-based password hashing key number. Special designs include a USB with stronger methods based on ‘MD5’ and connector, RFID functions or Bluetooth wireless ‘Blowfish’. Other systems have also begun interface to enable transfer of a generated key to adopt these methods. For instance, the number sequence to a client system. Cisco originally used a reversible Vigenere Now a days when most business entities cipher to encrypt passwords, but now uses cannot imagine their existence without md5-crypt with a 24-bit salt when the information systems, implementation of a strong "enable secret" command is used. These password policy and practice is of paramount newer methods use large salt values which importance. The techniques of password prevent attackers from efficiently mounting cracking are to be explored by system offline attacks against multiple user administrators and Information security persons accounts simultaneously. The algorithms to safeguard the information system. To are also much slower to execute which become a good cop one must have the drastically increases the time required to knowledge of the techniques adopted by mount a successful offline attack. thieves , though many a times the latter is found Solutions like Security token give a formal successful in outwitting the former class! ‘proof answer’ by constantly shifting Acknowledgement : The author password. Those solutions abruptly reduce acknowledges that he has taken reference the timeframe for brute forcing (attacker from several openly available and public needs to break and use the password within documents available on the internet. Due to a single shift) and they reduce the value of lack of space, each reference could not be the stolen passwords because of its short individually detailed. time validity. ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 12
  12. 12. March 2010, Volume 12 Calendar of Events Conference Spotlight Dates of conferences/events are indicated in RED; other dates and deadlines are indicated in BLACK. International Conference 6-9 June 2010 March 1-2 March............. Information Security and Risk Cancun, Mexico Management Conference, Bogota, th Now in its 38 year, the International Colombia Conference promises to be an event not to 6-7 March............. Oceania Leadership Conference, Perth, Australia be missed. At this global forum, attendees 11 March .............. Deadline for contributions to COBIT® Focus, will collaborate and connect with peers, and volume 2, 2010 17 March .............. Early-bird registration deadline for Training discover the differing ways similar problems Week, Charlotte, North Carolina, USA are solved around the world. Plus, there will 18 March .............. Deadline to submit Award Nominations be opportunities to learn about recent 20-21 March......... Europe/Africa Leadership Conference, Budapest, Hungary ISACA research projects and best 21-24 March......... EuroCACSSM, Budapest, Hungary practices, and obtain guidance on how to 22 March .............. Deadline for contributions to volume 4, tackle the tough problems facing 2010, ISACA Journal 22-26 March......... Training Week, Dallas, Texas, USA enterprises today. This year, sessions will 23 March .............. ISACA® e-Symposium be presented and/or translated into English 31 March .............. Deadline to return 2009 tax information packet to ISACA International Headquarters and Spanish. For more information and to 31 March .............. Early-bird registration deadline for register, please visit International Conference, Cancun, Mexico Future Conferences and Training Weeks April Upcoming events are noted in the Calendar 1 April ................... CRISC grandfathering opens 7 April ................... Final Registration deadline for the June of Events. Events to keep in mind for early 2010 CISA/CISM/CGEIT exams 2010 include: 17-18 April............ North America Leadership Conference, 13-15 September 2010—Information Chicago, Illinois, USA 18-22 April 2010 .. North America CACS, Chicago, Illinois, Security and Risk Management USA Conference, Las Vegas, Nevada, USA 27 April ................. ISACA e-Symposium 30 April ................. Purge of nonrenewed members 13-17 September 2010—Training Week, Orlando, Florida, USA ■ May 20 May................Deadline for contributions to volume 5, Bookstore Update 2010, ISACA Journal 24-28 May ..........Training Week, Charlotte, North Carolina, USA New ISACA research and peer-reviewed books are offered in the ISACA Bookstore, including: Securing the Information Infrastructure SharePoint Deployment and Governance Security, Audit and Control Features Oracle Using COBIT® 4.1: A Practical Approach* Database, 3rd Edition* Value Management Guidance for Assurance The Big Switch: Rewiring the World, from Professional: Using Val IT™ 2.0* Edison to Google The Risk IT Framework 2.0* Cloud Computing: Implementation, The Risk IT Practitioner Guide* Management and Security Fraud Analysis Techniques Using ACL Computer and Information Security Information Storage and Management: Handbook Storing, Managing and Protecting Digital How to Complete a Risk Assessment in 5 Information Days or Less PCI Compliance, 2nd Edition Internal Controls Policies and Procedures ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 13
  13. 13. March 2010, Volume 12 IT Financial Management individuals who elected to receive the e-mail notification. Vulnerability Management Hard copy result letters were sent out to all exam (* denotes ISACA published material) candidates the week of 1 February. Results also have been posted to the candidate’s profile on the ISACA web site. To ensure the confidentiality of scores, exam results Prepare for the June 2010 ISACA certification exams are not reported by telephone or fax. using ISACA’s latest study materials, available at, CISA, CISM and CGEIT Applications and To process applications more efficiently, exam passers should gather all application documentation [verification Visit the ISACA Bookstore at of work experience form(s) and any applicable university or see the ISACA Journal Bookstore insert for additional transcript or letter] and send them together in one information. Contact the Bookstore at package to ISACA International Headquarters. or +1.847.660.5650. ■ Completed applications may be sent via fax to Certification Update +1.847.253.1443 or through e-mail to Those wishing to send January Certifications applications via post may use the address listed on the In January 2010, 574 CISA, 134 CISM and 9 CGEIT application. If an application is submitted via fax or candidates were awarded certification. e-mail, it is not necessary to also send the hard copy. December 2009 Exam Results June 2010 Exam Registration The results of the December 2009 exams were released by one-time e-mail notification in late January to those Registration for the June 2010 CISA, CISM and CGEIT exams continues. The final registration deadline is 7 April 2010. Please refer to, 2009 Central North America or, respectively, for more details on the exam. Registrants Unfunded PCM can save US $50 by registering online at The 2009 Central North America Unfunded PCM took place on CISA, CISM and CGEIT Certification 7-8 November in Nashville, Tennessee, USA, at the Renewals Opryland Hotel. Of the 30 chapters in the region, 19 attended this meeting. In addition to several breakout Certified individuals who have not already renewed sessions, five chapters presented throughout the for 2010 should renew as soon as possible to avoid weekend. The Omaha (Nebraska, USA) Chapter revocation. Reminder invoices have been mailed. presented on how their chapter is making changes to the Renewal requires payment of the annual maintenance way it communicates with its members. The Greater fee and reporting the required CPE credits. The CISA, Cincinnati (Ohio, USA) Chapter talked about how the CISM and CGEIT CPE policies are available at chapter finds and retains good leaders for their board., The Detroit (Michigan, USA) and Middle Tennessee and (USA) chapters discussed how the chapters are holding, respectively. The successful and well-attended seminars and training renewal process can be completed online at events. The Winnipeg (Manitoba, Canada) Chapter shared ways that chapter leaders can mitigate risks for the chapter and its directors. All presentations can be The CISA certification program was awarded the Best downloaded at ■ Professional Development Grand Award and the Best Professional Development (Scheme) Award from the Hong Kong ICT Awards 2009. The Hong Kong ICT Research Update Awards were established in 2006 under a collaborative effort among industry, academia and the government. Monitoring of Internal Controls and IT This publication provides guidance and tools for New ISACA Certification: CRISC enterprises interested in applying IT to support and The grandfathering program for ISACA’s new sustain the monitoring of internal control systems and IT. certification program, Certified in Risk and Information It provides practical guidance for executing the Systems Control™ (CRISC™, pronounced see-risk), monitoring process in general and for automating the opens 1 April 2010. To learn more, visit monitoring process for increased efficiency and effectiveness. Effective IT-enabled monitoring can be of ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 14
  14. 14. March 2010, Volume 12 benefit to senior management, which includes Upcoming ISACA Releases governance bodies, the audit committee and the board • The Business Case Guide: Using Val IT™ 2.0 of directors. Customization of the approaches provided • Business Model for Information Security™ (BMIS™) will be necessary to reflect the specific circumstances of • Career Guide for Information Security and Information each enterprise. Assurance Professionals Security, Audit and Control Features Oracle® E-Business Suite, 3rd Edition An exposure draft is scheduled to be posted in March at for public comment. ©2009 ISACA. All rights reserved. ISACA Kolkata Chapter. 15